In accordance with rapid development of the internet in recent years, the network access environment from user' premises such as ADSL (Asymmetric Digital Subscriber Line), FTTH (Fiber To The Home) and CATV (Cable Television), and the network access environment in the public represented by widely spread APs (Access Points) of wireless LAN (Local Area Network) system are also being well developed and maintained. Therefore, an opportunity is increasing for the portable computer such as a notebook type personal computer, which stores important information and also can obtain important information via a communication network, being moved outside the intranet of own organization and connected to an outside communication network other than the intranet. Here, the intranet is an internal network which is constructed by some kind of organization such as enterprises and corporations on their own for their internal communication use, and security of communication inside the network is strictly managed.
As a possible problem which might happen when the portable computer is moved outside the intranet and connected to the outside communication network, it is pointed out that a security accident of outflow of important information stored in the portable computer outside would occur.
Therefore, in order to manage the security strictly in the organization, a security administrator of the organization might desire to take necessary countermeasures such as prohibiting to use the portable computer in a communication network which is other than the intranet, or even it is allowed to use in other network, limiting to use only for communication by using a virtual private network (VPN), or changing functional setting in the portable computer to perform any filtering on communication contents.
However, it is difficult for most users to perform functional setting change of the operating system (OS) in the portable computer, or to install the security software of VPN or the like in the portable computer and change its functional setting properly according to the network to be used by the portable computer. Accordingly, it could be possible that the security administrator performs appropriate functional setting to the portable computer instead of the user. However, a software environment of the operating system (OS) and the application system (AP) employed in the portable computer used in the organization is full of variety. Accordingly, it can be said that it is also difficult for the security administrator to perform appropriate functional setting to all portable computers used in the organization. Even if the security administrator can perform appropriate functional setting to all portable computers, there is another possibility that a user of the portable computer may disable accidentally or intentionally such functional setting performed by the security administrator.
As a method of solving such a management problem for portable computers in the organization and a network security problem, a virtual system is considered to be one of solutions.
The virtual system is a system to realize computing environments virtually, and includes a virtual machine (VM) and a hypervisor. The virtual machine (VM) is the computing environments virtually realized, and the hypervisor performs management of a plurality of virtual machines and also performs management of resources or the like of a real computer system. The hypervisor is also called a virtual machine monitor (VMM). In the virtual system, a special virtual machine called a service VM performs control of real devices and management interfaces of the virtual system. However, the service VM may unite with the hypervisor. The virtual machine for user's environment is called a user VM.
When the virtual system is used, communication processing with an external network can be performed by the service VM, not the user VM. And, the user is positioned as an administrator of the operating system (OS) on the user VM, and the security administrator or the like can be positioned as an administrator of the service VM and the hypervisor. As a result, the range of management to be performed by the security administrator can be limited and reduced. Also, the management load of the security administrator can be reduced by sharing the environment on the service VM.
In the virtual system, when network access is performed by a user using the user VM, a virtual communication device provided in the user VM is used. The virtual communication device has an address used for communication like a real communication device has. As the address used for this communication, there is “MAC address (Media Access Control address)” for media access control on the data link layer used by Ethernet (registered trademark).
In a closed network like a LAN (Local Area Network), the MAC address is often used as a part of the user's identification information. Because a unique value is given to the MAC address for each real communication device when it is manufactured, it is not so difficult for the real communication device to make it an object for managing. However, in case of the virtual communication device, because the address like a MAC address is determined when a connection using the virtual communication device is generated, there is a problem that it is troublesome to manage the address like a MAC address as a part of the identification information, and it is considered that any method to solve this problem is needed.
As another address used for communication, there is “IP (Internet Protocol) address”. It is necessary to assign an IP address to the virtual communication device of the user VM when the service VM performs any operation relating to the real network in the communication processing in which the IP address of the real communication device is involved. In this case, different IP address is needed for the virtual communication device of the user VM in addition to the IP address of the real communication device. However, it may not be able to obtain a plurality of IP address in a certain type of network. In case a plurality of IP address are not obtained, it can be solved by giving a temporary IP address to the virtual communication device and address translation such as NAT (Network Address Translation) is performed by the service VM. However, it may not be able to perform the address translation in a certain type of service protocol, and it is considered that any method to obtain a plurality of IP address is needed.
As a related art, a technology about Network Access Arbitrator which can perform a change over function between different Network Access Technologies such as Wireless LAN, token ring and Ethernet (registered trademark) or the like without stopping an active network application or without disconnecting an active session being used is disclosed in Japanese Patent Application Laid-Open No. 2001-127822.
This Network Access Arbitrator is a virtual network adapter driver which locates between the data link layer and the network layer of standard OSI (Open Systems Interconnection) protocol stack, and controls necessary change over function between different Network Access Technologies. Because all computer network applications are controlled at a layer upper than the network layer, all application using a network service (connection or connectionless) provided by the network layer continues without disconnecting those active network sessions when the Network Access Arbitrator carries out the change over function between different Network Access Technologies.
A network function proxy of an embedded OS (Operating System) simulator which supports software development for an embedded equipment is disclosed in Japanese Patent Application Laid-Open No. 2007-228098.
In this related art, the network function proxy, which enables communication between the embedded OS simulator and the host OS of a general-purpose computer on which this simulator itself is operating, is realized without having an influence on an existing network device driver of the host OS.
The network function proxy includes a network function proxy part which provides the alternate function of network function, a packet distribution part which judges whether a destination of packet data transmitted from the embedded OS simulator is the general-purpose computer on which the embedded OS simulator is operating or an external network, and a bridge module having functions to serve a network device driver to the network layer of OS of the general-purpose computer and deliver packet data.
A virtual network system which performs data communication in a plurality of LAN segments is disclosed in Japanese Patent Application Laid-Open No. 1997-233094. In particular, this technology is effective by applying to a virtual network system which performs the data communication efficiently among a plurality of emulated LAN which emulates existing LAN on the ATM (Asynchronous Transfer Mode) network.
In this related art, it includes the selecting means which selects one of cell assembling processes of a LAN emulation process and a native mode ATM process for each packet created by protocol which operates under higher layers than the network layer, the LAN emulation means which performs the LAN emulation process and creates ATM cells from a MAC frame having been assembled from the packet, and the native mode ATM means which performs the native mode ATM process and creates ATM cells direct from the packet. The selecting means selects the LAN emulation process or the native mode ATM process, the ATM cells are created by the LAN emulation means or the native mode ATM means by the selected result, and data communication is performed by created ATM cells.
Virtual network system and method in a processing system is disclosed in PCT publication No. WO 02/086712 A1.
According to this related art, a method and system for emulating a switched Ethernet local area network are provided. A plurality of computer processors and a switch fabric and point-to-point links to the processors are provided. Virtual interface logic establishes virtual interfaces over the switch fabric and point-to-point links. Each virtual interface defines a software communication path from one computer processor to another computer processor via the switch fabric. Ethernet driver emulation logic executes on at least two computer processors, and switch emulation logic executes on at least one of the computer processors. The switching emulation logic establishes a virtual interface between the switch emulation logic and each computer processor having Ethernet driver emulation logic executing thereon to allow software communication between them.